2 Answers
2

Do signature-based antiviruses search for the exact matches of the signatures they have in their database with those of viruses to analyse ?

I'd hope they don't. AV usually has several different scanning techniques and signature-based scanning being only one of them. I'd think there is some sort of a threshold in the most simple scenario, where we count the number of signatures that we know can be malicious. When counter reaches critical mass, executable is flagged. In real world I think it's much more complex than that. Someone familiar with Clam AV may give a better answer (you can look through the code as well)

I ask this question because I wonder if it is the reason why I often read that signature-based only antiviruses are outdated.

If I were to write a virus, I'd embed mutation and obfuscation inside the body. Every time payload is executed the body of a virus mutates by so much that any previous signature would't work.

Alternatively one can use cryptography to encrypt the body. A new encryption round produces new random junk (unless one has a decryption key, which is usually distributed through random domains based on initial seed number and date).

There is not much you can do to prevent an AV signature set from getting outdated. Imagine you would want to create a piece of malware with the goal to infect as many people as possible. You certainly wouldn't want it to get detected by any virus scanners, do you? So what do you do? You let all virus scanners you can get run over your malware, see if they detect it, and when they do you modify and obfuscate your malware until they don't.

Now your malware is undetectable... until the AV scanners find out about it and update so they detect it again.

What do you do now? You get the updated virus scanners and again start to modify and obfuscate your malware until they again can't detect it anymore and you again set it free. Then the cycle repeats.

It's an endless cat- and mouse game between AV vendors and black hat hackers. Both have commercial interests. When one stops updating their product to outsmart the other, they would lose a very lucrative business.